This is a lab using Metasploit and Metasploitable in a virtual environment to demonstrate configuring virtual local networks and basic penetration testing, including scanning, enumeration, and exploitation. Technologies used include Metasploit, nmap, Oracle Virtual Box, Telnet, and Kali Linux. This lab is in part based on the following tutorials: David Bombal's Metasploit Hacking Demo as well as Hacker 101's How to Hack Metasploitable 2 series.
Requires two machines: an attacking machine and Metasploitable. Here I used Kali Linux through Oracle VirtualBox, which can be opened and works out of the box.
Metasploitable can be directly downloaded from Rapid7's download page and can be ran through Oracle VirtualBox as well.
Login using msfadmin / msfadmin to get the server up and running.
To connect the two machines, we use the network manager to add a new NAT Network to function as a private virtual network for the two virtual machines, here titled metasploiting_lab.
We then attach the attacking Kali Linux machine to the new NAT Network as shown here, and repeat for the Metasploitable machine.
After launching both machines, run ip a to show the current ip. Here the IP listed is 192.168.1.4 and can be pinged from attacking machine to prove connectivity.
From attacking machine, run ping -c 1 <ip address> to send one ping. From the results, we can see they are connected.
This can also be demonstrated by opening Metasploitable's IP address in a web browser.
Before, we demonstrated that the machines are connected by grabbing the IP address directly from Metasploitable's console. From here, we assume no knowledge of Metasploitable's console beyond proof of exploits working. First, we must demonstrate how to manually find Metasploitable's IP address. We use nbtscan to scan the network to find running machines. Here we use nbtscan 192.168.0.0/16 to discover hosts across the entire 192.168.x.x private address space. This assumes the Metasploitable instance is attached to the same NAT Network and therefore using a 192.168.x.x address. The scan is successful, and we find the METASPLOITABLE server running at 192.168.1.4.
We then run nmap with a stealthy SYN scan (-sS) to see the open TCP ports. We also use -sV and -O to print out the service and versions of these ports as well as the operation system of the host. Note that nmap can be used in both the Metasploit console and Linux terminal. This is done here with nmap -O -sS -sV <ip address>
We can see here that there are multiple open TCP ports connected to this host, including ftp on version vsftpd 2.3.4, ssh, telnet, smtp, as well as Metasploitable root shell. We can also see that the host is running on Linux. From here, we can explore more specific vulnerabilities and exploit them. We can start by opening Metasploit using msfconsole.
Selecting port 21 (FTP) we use nmap -sV -p 21 <ip address> to highlight the information of this specific port. From seeing version vsftpd we can use Metasploit and search for an exploit pertaining to this version.
We can search through Metasploit for this specific vulnerability using search vsftpd. Here we can see two results, one for DOS, and the other for creating a backdoor.
Using info 1 gives us the full description of the related module. Here we look into the vsftpd_234_backdoor module, and see the full details including options and a description.
After doing use 1 to select this module, we use show options to see the same options from the info screen. Here, RHOSTS is empty and required, so it needs to be set. We do setg RHOSTS <ip address> to set the global variable of RHOSTS to the target remote IP address. This way, RHOSTS is set for this exploit and across other modules as well.
exploit runs the exploit, and it works! Now, we have remote access into a shell connected to the web server. Note that the shell does not print the current working directory like a normal terminal.
Once inside the remote shell, any typical Linux command functions normally. As a demonstration of the connection, we use shutdown now to close the web server.
On the Metasploitable machine, we can see this recovery as opposed to our normal terminal. The attack worked as intended.
To further demonstrate, connecting to the IP address in a web browser no longer connects to the Metasploitable home page.
We restart the Metasploitable machine and begin again.
After restarting the vulnerable machine, we explore a second attack : SMTP enumeration on TCP port 25. To start enumerating SMTP, we need to do more in depth scanning into the port. We can start by attempting to enumerate all the users at this port. We can do this using an nmap script: nmap -p 25 --script smtp-enum-users <ip address>
Here, for one reason or another the script failed as it received an unexpected status code. We can look further into this by using another nmap script to list available commands: nmap -p 25 --script smtp-commands <ip address>
From this, we can see that VRFY is supported. The nmap script previously failed because the server returned a non-standard response during RCPT TO probing, which caused the script to stop. We can manually verify users through VRFY, but the nmap script uses a mixture of multiple commands including RCPT TO. So, we must move on to try other methods of enumeration. We can open back up Metasploit and look for smtp specific scanners. However, this does confirm that SMTP user enumeration is possible on the target as the VRFY command is enabled.
Here we can see a SMTP User Enumeration Utility. We use info 4 to see the full description of this tool.
We can see that this script uses VRFY and ETRN, both of which we found from our previous nmap script. So, we can select the script to try by using use 4 and again set the global variable for remote host by using setg RHOSTS <ip addresss>. We also use show options to demonstrate that our change went through.
After using run the scanner will run and may take several minutes to scan through the full user list.
We can use Telnet using telnet <ip address> 25 to connect to the SMTP port and verify some of the users we found using the verify command. Note that like nmap, Telnet can be used from the Linux terminal or within the Metasploit console. We can use VRFY <username> to verify the users we received from the scan. We can also demonstrate the result from a non example.
Here this confirms the user list we received, and we now have the users connected to SMTP at this server.